Geek Answers Handbook

Setting permissions for a document using the MarkLogic REST API

I am trying to specify permissions for documents in a MarkLogic 6 database using the rest of the api.

This is the permissions metadata that I submit ( permissions.xml ):

 <rapi:metadata xmlns:rapi="http://marklogic.com/rest-api" xmlns:prop="http://marklogic.com/xdmp/property"> <rapi:permissions> <rapi:permission> <rapi:role-name>arole</rapi:role-name> <rapi:capability>update</rapi:capability> </rapi:permission> <rapi:permission> <rapi:role-name>brole</rapi:role-name> <rapi:capability>read</rapi:capability> </rapi:permission> </rapi:permissions> </rapi:metadata>

using this command:

 curl --anyauth --user user:pass -X PUT -T permissions.xml \ -H "Content-type: application/xml" \ "http://localhost:8003/v1/documents?uri=/test/test.xml&category=permissions"

When I look at permissions after this, I see:

 arole (update) brole (read) rest-reader (read) rest-writer (update)

I expect that he will only have permissions for arole and brole.

The documentation says: "Unless explicitly set permissions, documents created using the MarkLogic REST API have read permission for the rest-reader role and update permission for the rest -writer . (And yes, I know, this example does not create a new document, but it does the same if I add a new document and set permissions simultaneously using a message with several messages + metadata via the rest api).

Setting permissions through direct xquery calls (e.g. xdmp:document-insert with permissions) using the same user and database works as expected.

How can I save the rest of the api from adding these extra permissions?

EDIT:

There is a ticket with MarkLogic, there is no date or version that I know about yet.

In case someone else comes across this, they really helped me: Create new roles (or change existing ones) and give them privileges to β€œperform” for rest and / or rest, instead of inheriting the roles of readers / readers / generations , as well as the user directly assigning the role of recreation-reader / recreation.

+7
rest permissions marklogic
source share
2 answers

The internal function docmodupd:write-permissions always combines input permissions with exiting xdmp:default-permissions . This is done so that rest-reader can read the document, and rest-writer can update it. As far as I can tell, there is no API to control this behavior.

If you have a strong precedent for excluding these additional permissions, contact support.

+3
source share

The easiest way to achieve access through REST, but NOT universal access to documents, is to create custom roles that you can assign to users instead of built-in roles. Add the default read / write permissions for this role (if you do not need to specify permissions for each insertion of the document), as well as the REST run privileges that you want to have in the role ( http://marklogic.com/xdmp/privileges/rest -writer , http://marklogic.com/xdmp/privileges/rest-reader ). Do not assign the built-in rest-reader or rest-writer role to a custom role, just execute the rights (s).

Custom roles will then be able to use all REST endpoints, but will not have universal access to all documents created through the REST interface. Searches and documents GET requests return only documents that the user role has access to, and they will not be able to change documents for which their role does not have permission to update.

+2
source share

More articles:


All Articles